HI I have a client that is going to china.  He needs his gmail and remote deskop there.   Question does vpn stuff like  turbo VPN and Express VPN work there.  They have a rv042 router that has a vpn clinet and pptp, not sure if they work.

For whatever reason my clients who use Spectrum Cable as an ISP can no longer connect to their office VPN. Using a hotspot it works fine and I also tested with ATT with no issues.. Residential Spectrum it can't get past authenication.. I have not called Spectrum yet, wanted to see if anyone else has run into this..

If you need additional info please let me know. Thanks for taking a look at our post.

The problem slow SMB over WAN. Latency avg 27ms  Wiresharks shows the Windows Size is small 8012 for SMB traffic.  Bandwidth 100 MBPS both up and down.  Speed out to the Internet is great both up and down.

Site to Site VPN setup between two Fortigates.  

Copying and opening files between the two sites is slow.  Branch Office has a mix of Win7 and Win10 on the Desktops.  Fileserver is running Win2016.  I have three remote sites with the same problem.  Wireshark tells us we're running SMB 2.0.  

I'm asking for suggestions to increase the file transfer speed over the WAN.  

Fortinet's TAC Level 3 has checked and double checked the Fortigates for misconfiguration errors.  
We have  done things like reduce the MTU size on the Fortigates.  Ran continuous pings on both the private and public interfaces looking for dropped packets.
Checked for mismatched duplexing.  Updated the Fortigates Firmware, Attached laptops directly to the Fortigates and copied files between them, ran Iperf both TCP and UDP between them, etc, etc.

We've read document after document on slow SMB over WAN.  Performance tuning for SMB. - https://www.apachelounge.com/download/contr/Perf-tun-srv-2016.pdf
We've added the registry key for SizReqBuf, and set it to ffff.
Windows Size Scaling is mentioned.
https://www.auvik.com/franklymsp/blog/tcp-window-size/?  This link mentions Windows Scaling is enabled by …

Hi,

Recently here in Expert-Exchange an expert mention Four Ones (1.1.1.1) as an alternative for DNS for a VPN question I had.   Did some google and found that it's from CloudfFare/APNIC, works somewhat as VPN, further their site says they are audited annually by KPMG - so it seems ok or legit.  I am thinking of changing my DNS in all my devices to Four Ones, so I wanted to know the expert thoughts on this.  Is it really faster? Does it work like a VPN? What EE take?

Thank u!

Cannot get Windows Server 2019 SSTP VPN authentication to work. I have set up Windows server 2019 Std on a small ProLiant Microserver straight out of the box. I have installed ADDS, IIS and RRAS , and got a working SSL certificate bound to default website (from LetsEncrypt). I have setup 20 SSTP ports with their own static IP address pool . I am using Windows Authentication (have not installed NPS) and have selected MSChap v2 as a valid authentication protocol.  When I try to connect to this server via this VPN it appears to connect and then immediately fails authentication. It clearly refuses to accept my username and password for the domain (despite that username being an enterprise and domain administrator ).  I have a very similar setup working with a couple of other customers elsewhere but this one just will not work. I have selected Allow Access on the user profile.  Is there something else I've missed?  Something that authorises users to be able to connect to the domain via VPN??

Hi, I have a question for VPN peer IP address. I have a block of public IP addresses I can use. One of them of course is assigned to the public facing interface on my firewall. I need to set up a half dozen site-to-site VPN on the firewall with external agencies. What is the pros and cons of using the interface IP address as the VPN peer IP address for all the VPN sites v.s. using the different public IP address for each individual VPN sites? I am thinking maybe using unique IP address for each VPN peer makes it is easier for tracing and troubleshooting issues, but that's just my random thoughts. Is there a set standard and reasoning as to how you should assign IP address when there are multiple VPN peers?

Also, when it is necessary to NAT the VPN encryption domain (interesting traffic) to a public IP address, is it recommended to use an IP address other than your VPN peer IP address? It seems like using the peer IP for NAT works just fine, but I was told once it's not recommended with no clear explanation.

Thank you in advance for your comments!

I have an IPSec VPN from site 1 to site 2.  The VPN shows up and working.

From site one, I can ping the full range over at site two.  I can ping site 2's full range of 192.168.1.0/23 from site one.

From site 2, I can only ping the first range in the subnet at site 1.  The subnet at site 1 is 10.90.20.0/22 and I can ping anything in the 10.90.20.0-10.90.20.255, but nothing higher than that.

I've verified my two address objects and made sure the mask is correct, but I'm having trouble with this final problem.

Can someone point me in the right direction please?

Thank you

I have set up a replica DC in Azure. My boss wants to get rid of the on-prem DC and only have the one in Azure. I have transferred all the FSMO roles to the Azure Domain controller, but when I remove the Site to Site VPN connection I can't log into the Azure DC anymore. The internet access is being turned off on-prem tomorrow. Am I missing a step?

Cisco IOS SSL VPN on 1941. Caanot access Internet

Im configuring a 1941 router at my home to provide sslVPN for myself while I travel. The main purpose is to get around geofencing. I want all traffic to go across the vpn and exit the internet interface on the same router. with the config below im able to connect to resources on my own network but cannot connect to internet resources.

login as: root
Using keyboard-interactive authentication.
Password:

MyVPNTest#sh run
Building configuration...

Current configuration : 10462 bytes
!
! Last configuration change at 02:57:00 UTC Thu Sep 26 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyVPNTest
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login sslvpn local
!
!
!
!
!
aaa session-id common
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
!
!
!
!
!
!
!
!
!

!
!
!
ip domain name vpntest.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4

!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint my-trustpoint
 enrollment selfsigned
 serial-number
 subject-name CN=firewallcx-certificate
 revocation-check crl
 rsakeypair my-rsa-keys
!
!
crypto pki certificate chain my-trustpoint
 certificate self-signed 01
  30820291 308201FA A0030201 02020101 300D0609 2A864886 F70D0101 …

We have a site to site VPN tunnel which has been performing well for 4 years.  We are seeing increased traffic this week and are seeing select devices unable to reliably access the tunnel for periods of several minutes to several hours while other devices are able to connect across the tunnel.

The VPN tunnel is used to access a terminal server in a remote site using handheld computers running Windows CE.  We typcially have 12 devices deployed.  Currently we have 18 devices deployed for a 2 week project.

We are seeing that during peak times (more users connected to the RDP server) select devices will be unable to connect.  Pings from the affected device will range from 100% loss to 0%.  The ping failure rate fluctuates.  Users may sometimes connect to the RDP server for a few minutes before being disconnected again.

This problem seems to last between 10 - 120 minutes.

I have taken packet captures at the ASA and see that both ICMP and RDP packets are arriving on the inside interface - the portable computer having the problem is transmitting correctly.

My problem is how do I ensure the ASA is encapsulating these packets and sending them out the Outside interface reliably.  I have taken packet captures on the outside interface but do not know of a way to match these encapsulated packets up to those originating from the problem computer.

I have reviewed: Show crypto ipsec sa

 #pkts encaps: 9228711, #pkts encrypt: 9228711, #pkts digest: 9228711
      

Select all Open in new window

…

Hi Experts, my colleagues alleges that VPN are totally untraceable.  Yet I tell them that even though one is not traced via the use of a VPN, government can request of the users VPN provider a history of sites visited.  And if the VPN is free, it's even more viable for government access their activity logs (some stuff I learn with u guys!).  So what is the experts take on this? and How viable is my colleagues statements?

Two separate businesses using the same domain name have now merged into one.
This is the first time I've ran into this and hope someone could shed some light. We've recently acquired a new client who at one point had two domain controllers. Server 2008 and Server 2012. They moved Server 2012 over to a new location as part of a different business, but kept the same domain name. Server 2008 AD sees the 2012 as a DC, However 2012 doesn't see 2008 as a DC. They are now on different networks, but recently was configured to tunnel back to corporate to share resources.

What I'm trying to accomplish: Join a 2016 DC to their corporate to decommission 2008.

Error I'm getting when promoting 2016 to a DC: "Active Directory preparation failed. The schema master did not complete a replication cycle after the last reboot."



What I've gathered so far.

Server 2008 - DC - samedomain.local - Corporate Office

At one point was replicating to 2012.
Server 2012 - DC - samedomain.local - Remote Office

No longer replicating from 2008.
Recently a WatchGuard VPN was put in so the two locations could talk and share resources. Different IP schemes, and they don't know about each other.

My Question: Can I safely remove 2012 DC from 2008 to stop attemping replication and at the same time continue to operate both under the same domain names, but seperate?

Remote Office will still use 2012 to authenticate locally until we can sit down and plan out a migration plan several …

I've been experiencing this issue when logging into our network from different locations including VPN where drives and folders I normally have access to are no longer available.  Some network shares fail to connect completely and some only show me some folders but not all of them.  This is very strange behavior and I'm not sure what could be accounting for it.

These sites are networked through a wan connection and has DC's at both sites that are trusted.